Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Your Thing is pwnd - Security Challenges for the Internet of Things

The growth of Internet connected devices is hard to comprehend. From health monitoring gadgets to Home Automation systems. The real world is getting Internet connected.

Lots of these devices are built on 8-bit microcontrollers. Often they use unencrypted radio comms or networking, and default passwords. Do we care? Maybe they are too simple, too uninteresting to hack?
Visit examples of hacking Things, why we should care and how to fix it.

If you are building a Thing, using an internet connected Thing, or working with data from Things, come along to find out what you should know about securing them.

“Lots of people are emailing me and joking about what they’d do if they hacked the device,” said Way. “We believe this device is not hackable. But even if somebody managed to get in, the worst consequence would be lots of women having orgasms in unusual places.”

4.
My three rules for IoT security
• 1. Don’t be dumb
• 2. Think about what’s different
• 3. Do be smart

5.
My three rules for IoT security
• 1. Don’t be dumb
– The basics of Internet security haven’t gone away
• 2. Think about what’s different
– What are the unique challenges of your device?
• 3. Do be smart
– Use the best practice from the Internet

8.
So what is different about IoT?
• The fact there is a device
– Yes – its hardware!
– Ease of use is almost always at odds with security
• The longevity of the device
– Updates are harder (or impossible)
• The size of the device
– Capabilities are limited – especially around crypto
• The data
– Often highly personal
• The mindset
– Appliance manufacturers don’t always think like security experts
– Embedded systems are often developed by grabbing existing chips, designs, etc

27.
Passwords
• Passwords suck for humans
• They suck even more for devices

28.
Why Federated Identity for Things?
• Enable a meaningful consent mechanism for sharing of device
data
• Giving a device a token to use on API calls better than giving it a
password
– Revokable
– Granular
• May be relevant for both
– Device to cloud
– Cloud to app
• “Identity is the new perimeter”